The extent of the damage appears limited, according to Nokia. For
most customers, only their email address was lost (sowatch out for phishing!). For an
estimated 7 percent of customers "either birth dates, homepage URL or
usernames for AIM, ICQ, MSN, Skype or Yahoo" were also lost. More
sensitive information, however, like passwords and usernames, was not in the
affected database and remains safe.

Nokia writes:

You may
have seen reports or received an email from us regarding a recent security
breach on this developer.nokia.com/community discussion forum.

During our
ongoing investigation of the incident we have discovered that a database table
containing developer forum members' email addresses has been accessed, by
exploiting a vulnerability in the bulletin board software that allowed an SQL
Injection attack. Initially we believed that only a small number of these forum
member records had been accessed, but further investigation has identified that
the number is significantly larger.

The
database table records includes members’ email addresses and, for fewer than 7%
who chose to include them in their public profile, either birth dates, homepage
URL or usernames for AIM, ICQ, MSN, Skype or Yahoo. However, they do not
contain sensitive information such as passwords or credit card details and so
we do not believe the security of forum members’ accounts is at risk. Other
Nokia accounts are not affected.

We are not
aware of any misuse of the accessed data, but we are communicating with
affected forum members, though we believe the only potential impact to them may
be unsolicited email. Nokia apologizes for this incident.

Though the
initial vulnerability was addressed immediately, we have now taken the
developer community website offline as a precautionary measure, while we
conduct further investigations and security assessments. We hope to get the
site back online as soon as possible and will post developments here in the meantime.

Nokia
is hardly the first major online entity to be hacked by SQL injection, and is
unlikely to be the last. SQL injection (affectionately nicknamed a "Little Bobby
Tables" attack by web-comicXKCD), relies on sending
malformed queries to a publicly available SQL database hence
"injecting" unauthorized commands. To succeed the attacker must
gain physical access to the database (the ability to query it) and the database
engine must lack more advanced code to handle malformed queries.

SQL injection attacks are very preventable --
either by denying public access and/or by properly coding your database.
However, recent years have seen countless SQL injection attacks. In
2009Kaperskyand theAustralian
federal policewere both hacked via SQL injection. In 2010The
Pirate Bay washacked
via SQL injection. This year hackers employed the method to penetrate
several databases [1][2][3]
of Japanese electronics giant Sony Corp. (TYO:6758).

Thus farAnonymous and
other familiar "hacktivists" have not claimed responsibility for the
attack. It is unknown why the hacker(s) responsible targeted the Finnish
phone maker.

"The Space Elevator will be built about 50 years after everyone stops laughing" -- Sir Arthur C. Clarke